s07-流量内容监控-attack.ppt

网络攻击的检测和预防,第七章,目录,常见网络攻击的检测和预防DoS攻击的防范,黑客攻击网络的一般过程,信息的收集利用的公开协议或工具TraceRoute程序SNMP协议DNS服务器Whois协议Ping实用程序,黑客攻击网络的一般过程,系统安全弱点的探测主要探测的方式自编程序慢速扫描体系结构探测利用公开的工具软件,黑客攻击网络的一般过程,建立模拟环境，进行模拟攻击根据前面两小点所得的信息建立一个类似攻击对象的模拟环境对此模拟目标进行一系列的攻击,黑客攻击网络的一般过程,具体实施网络攻击根据前几步所获得的信息结合自身的水平及经验总结相应的攻击方法等待时机，以备实施真正的网络攻击,协议欺骗攻击及防范,源IP地址欺骗攻击在路由器上的解决方法防止源IP地址欺骗行为的措施抛弃基于地址的信任策略使用加密方法进行包过滤,协议欺骗攻击及防范,源路由欺骗攻击防范源路由欺骗攻击的措施抛弃由外部网进来却声称是内部主机的报文在路由器上关闭源路由,协议欺骗攻击及防范,拒绝服务攻击防止拒绝服务攻击的措施调整该网段路由器上的配置强制系统对超时的Syn请求连接数据包复位缩短超时常数和加长等候队列在路由器的前端做必要的TCP拦截关掉可能产生无限序列的服务,拒绝服务攻击,用超出被攻击目标处理能力的海量数据包消耗可用系统，带宽资源，致使网络服务瘫痪的一种攻击手段两种使用较频繁的攻击形式TCP-SYNflood半开式连接攻击UDPflood,拒绝服务攻击,拒绝服务攻击,UDPfloodUdp在网络中的应用如，DNS解析、realaudio实时音乐、网络管理、联网游戏等基于udp的攻击种类如，unix操作系统的echo,chargen.echo服务,拒绝服务攻击,Trinoo是基于UDPflood的攻击软件Trinoo攻击功能的实现是通过三个模块付诸实施的攻击守护进程NS攻击控制进程MASTER客户端NETCAT，标准TELNET程序等,拒绝服务攻击及防范,六个trinoo可用命令MtimerDosMdieMpingMdosmsize,拒绝服务攻击,拒绝服务攻击,攻击的实例:被攻击的目标主机victimIP为:5ns被植入三台sun的主机里，他们的IP对应关系分别为client1:1client2:2client3:3master所在主机为masterhost:4首先我们要启动各个进程，在client1，2，3上分别执行ns，启动攻击守护进程，其次，在master所在主机启动mastermasterhost#./master?gOrave(系统示输入密码，输入gOrave后master成功启动)trinoov1.07d2+f3+cMar202000:14:38:49(连接成功),拒绝服务攻击,在任意一台与网络连通的可使用telnet的设备上，执行telnet427665Escapecharacteris.betaalmostdone(输入密码)trinoov1.07d2+f3+c.rpm8d/cb4Sx/trinoo(进入提示符)trinoomping(我们首先来监测一下各个攻击守护进程是否成功启动)mping:SendingaPINGtoeveryBcasts.trinooPONG1Receivedfrom1PONG2Receivedfrom2PONG3Receivedfrom3(成功响应)trinoomtimer60(设定攻击时间为60秒)mtimer:Settingtimeronbcastto60.trinoodos5DoS:Packeting5.,拒绝服务攻击,至此一次攻击结束，此时ping5，会得到icmp不可到达反馈，目标主机此时与网络的正常连接已被破坏,拒绝服务攻击,由于目前版本的trinoo尚未采用IP地址欺骗，因此在被攻击的主机系统日志里我们可以看到如下纪录Mar2014:40:34victimsnmpXdmid:Willattempttore-establishconnection.Mar2014:40:35victimsnmpdx:errorwhilereceivingapdufrom1.59841:Themessagehasawrongheadertype(0 x0)Mar2014:40:35victimsnmpdx:errorwhilereceivingapdufrom2.43661:Themessagehasawrongheadertype(0 x0)Mar2014:40:36victimsnmpdx:errorwhilereceivingapdufrom3.40183:Themessagehasawrongheadertype(0 x0)Mar2014:40:36victimsnmpXdmid:ErrorreceivingPDUThemessagehasawrongheadertype(0 x0).Mar2014:40:36victimsnmpXdmid:Errorreceivingpacketfromagent;rc=-1.Mar2014:40:36victimsnmpXdmid:Willattempttore-establishconnection.Mar2014:40:36victimsnmpXdmid:ErrorreceivingPDUThemessagehasawrongheadertype(0 x0).Mar2014:40:36victimsnmpXdmid:Errorreceivingpacketfromagent;rc=-1.,拒绝服务攻击防范,检测系统是否被植入了攻击守护程序办法检测上述提到的udp端口如netstat-a|grepudp端口号用专门的检测软件,拒绝服务攻击及防范,下面为在一台可疑设备运行结果，Loggingoutputto:LOGScanningrunningprocesses./proc/795/object/a.out:trinoodaemon/usr/bin/gcore:core.795dumped/proc/800/object/a.out:trinoomaster/usr/bin/gcore:core.800dumpedScanning/tmp.Scanning/./yiming/tfn2k/td:tfn2kdaemon/yiming/tfn2k/tfn:tfn2kclient/yiming/trinoo/daemon/ns:trinoodaemon/yiming/trinoo/master/master:trinoomaster/yiming/trinoo/master/.:possibleIPlistfileNOTE:Thismessageisbasedonthefilenamebeingsuspicious,andisnotbasedonananalysisofthefilecontents.ItisuptoyoutoexaminethefileanddecidewhetheritisactuallyanIPlistfilerelatedtoaDDOStool./yiming/stacheldrahtV4/leaf/td:stacheldrahtdaemon/yiming/stacheldrahtV4/telnetc/client:stacheldrahtclient/yiming/stacheldrahtV4/td:stacheldrahtdaemon/yiming/stacheldrahtV4/client:stacheldrahtclient/yiming/stacheldrahtV4/mserv:stacheldrahtmasterALERT:OneormoreDDOStoolswerefoundonyoursystem.PleaseexamineLOGandtakeappropriateaction.,拒绝服务攻击防范,封掉不必要的UDP服务如echo,chargen,减少udp攻击的入口,拒绝服务攻击防范,路由器阻挡一部分ipspoof,syn攻击通过连接骨干网络的端口采用CEF和ipverifyunicastreverse-path使用accesscontrollists将可能被使用的网络保留地址封掉使用CAR技术限制ICMP报文大小,SpecificAttackTypes,Allofthefollowingcanbeusedtocompromiseyoursystem:PacketsniffersIPweaknessesPasswordattacksDoSorDDoSMan-in-the-middleattacksApplicationlayerattacksTrustexploitationPortredirectionVirusandwormsTrojanhorseOperatorerror,IPSpoofing,IPspoofingoccurswhenahackerinsideoroutsideanetworkimpersonatestheconversationsofatrustedcomputer.TwogeneraltechniquesareusedduringIPspoofing:AhackerusesanIPaddressthatiswithintherangeoftrustedIPaddresses.AhackerusesanauthorizedexternalIPaddressthatistrusted.UsesforIPspoofingincludethefollowing:IPspoofingisusuallylimitedtotheinjectionofmaliciousdataorcommandsintoanexistingstreamofdata.AhackerchangestheroutingtablestopointtothespoofedIPaddress,thenthehackercanreceiveallthenetworkpacketsthatareaddressedtothespoofedaddressandreplyjustasanytrustedusercan.,IPSpoofingMitigation,ThethreatofIPspoofingcanbereduced,butnoteliminated,throughthefollowingmeasures:AccesscontrolThemostcommonmethodforpreventingIPspoofingistoproperlyconfigureaccesscontrol.RFC2827filteringYoucanpreventusersofyournetworkfromspoofingothernetworks(andbeagoodInternetcitizenatthesametime)bypreventinganyoutboundtrafficonyournetworkthatdoesnothaveasourceaddressinyourorganizationsownIPrange.AdditionalauthenticationthatdoesnotuseIP-basedauthenticationExamplesofthisincludethefollowing:Cryptographic(recommended)Strong,two-factor,one-timepasswords,ApplicationLayerAttacks,Applicationlayerattackshavethefollowingcharacteristics:Exploitwellknownweaknesses,suchasprotocols,thatareintrinsictoanapplicationorsystem(forexample,sendmail,HTTP,andFTP)Oftenuseportsthatareallowedthroughafirewall(forexample,TCPport80usedinanattackagainstawebserverbehindafirewall)Canneverbecompletelyeliminated,becausenewvulnerabilitiesarealwaysbeingdiscovered,ApplicationLayerAttacksMitigation,Somemeasuresyoucantaketoreduceyourrisksareasfollows:Readoperatingsystemandnetworklogfiles,orhavethemanalyzedbyloganalysisapplications.Subscribetomailingliststhatpublicizevulnerabilities.Keepyouroperatingsystemandapplicationscurrentwiththelatestpatches.IDSscanscanforknownattacks,monitorandlogattacks,andinsomecases,preventattacks.,NetworkReconnaissance,Networkreconnaissancereferstotheoverallactoflearninginformationaboutatargetnetworkbyusingpubliclyavailableinformationandapplications.,NetworkReconnaissanceMitigation,Networkreconnaissancecannotbepreventedentirely.IDSsatthenetworkandhostlevelscanusuallynotifyanadministratorwhenareconnaissancegatheringattack(forexample,pingsweepsandportscans)isunderway.,VirusandTrojanHorses,Virusesrefertomalicioussoftwarethatareattachedtoanotherprogramtoexecuteaparticularunwantedfunctiononauserswor